secure cloud

Cloud computing

JIE is linchpin of next-generation classified cloud

Constructing and securing a classified cloud hinges to a growing extent on an overarching framework known as the Joint Information Environment. JIE takes in nearly all key DOD IT efforts and will specify a security architecture that all three services will be held to.

In short, JIE is one of the largest joint IT effort the U.S. military has ever attempted. For now, Pentagon leaders are working to ensure that all three services are on board with the initiative as they look to the first stages of implementation. The goal is interoperable cloud-based networks and services that will be able to deliver secure voice, data and intelligence where and when they are needed.

Plans released recently by the Defense Information Systems Agency also call for incorporating new cyber operations capabilities within JIE that the agency refers to as an “analytical cloud.” This component would, for example, enable big data techniques for ferreting out network attacks and insider threats.

The effort to develop a joint classified cloud comes as senior DOD leaders seek to balance “ends, ways and means” as budget sequestration forces them to choose between military capabilities or capacity. Explained Adm. James Winnefeld, vice chairman of the U.S. Joint Chiefs of Staff: “We will have fewer means with which to achieve our national security ends, so we need to do our best to sharpen the edge on the military instrument of power in the most effective ways we can. Much of that sharpening right now is focused on IT.”

Winnefeld and others note some “institutional resistance” to JIE. While the effort “not a panacea,” he acknowledged, “it aims to provide ... a shared IT infrastructure and a common set of enterprise services all under a single security architecture.”

JIE will include networked operation centers, data hubs and an identity management system with cloud-based apps and services. Along with allowing operations at the edge of the network using any device, JIE is intended to accelerate the “collapsing” of network command and control nodes while reducing DOD’s network management overhead. 

To that end, U.S. European Command opened an enterprise operations center in July 2013 as a sort of JIE prototype intended to consolidate dozens of command and control nodes. Pacific and U.S. operations centers are expected to be rolled out over the next year or so.

Securing the classified cloud through JIE’s architecture remains a priority, and senior IT officials believe they can leverage cloud capabilities without sacrificing security.  “Our airmen should be able to access their information from any device they use anywhere in the world,” said Lt. Gen. Michael Basla, the Air Force’s CIO. “Some may be hosted commercially, like public web pages. Others might be hosted in a private cloud to ensure greater control.”

Basla said the Air Force is looking for areas where the service can help lead with JIE implementation. To that end, Air Force commands are working on operational baselines “that lay the foundation for interoperability and information sharing across” the Air Force. Those systems will be designed and fielded “within the security and architectural specifications of the” JIE, Basla said.

DISA is responsible for managing the technical aspects of JIE design and implementation. Among its responsibilities is developing security standards within an overall secure architecture and working out details like access issues and identity management. 

DISA Director Lt. General Ronnie Hawkins has expressed some misgivings about whether JIE’s secure architecture should be considered “single,” but insists his agency is “on track” to synchronize JIE development as “an incremental process.”

A key role will be played by the JIE Technical Synchronization Office, which is led by DISA and includes service representatives. “All the services have engineering specialties within the Joint Technical Synchronization Office,” Hawkins said. “We are building up that office.”

An executive committee overseeing JIE development was scheduled to meet in late September. The panel is chaired by DOD CIO Teri Takai, Army Lt. Gen. Mark Bowman, CIO of the Joint Staff, and Cyber Command chief Gen. Keith Alexander. 

“JIE is going to leverage the investments that we have today,” Bowman stressed. “We’re going to have to look at those investments that we’ve got going and decide which we should continue and which ones we should change. “

Bowman went on to warn, “JIE is not a platform that people can hook their trailer to to get their program funded. Some are trying to do that today” while others “are waiting for it to go away.”

One way to nail down security is through better standards for identity management. “We need to have security [adhering] to a standard,” Bowman added, noting that DISA is working on those specs. “User-based access, access to the right data based on who you are….that’s the end state,” he said.

As for intelligence and “special access programs,” Bowman added that “there ought to be a cloud for a lot of” the special access programs. “That’s another area that we’re going to be looking at.”

Either way, “We can’t continue operating our networks the way we do today with different guys operating a portion of the network and not worrying about the rest of the network,” Bowman continued. “If somebody is operating outside what we need to do for security reasons, we need to change that. For interoperability reasons, we need to do the same.”

As budget uncertainty continues to hover over the Pentagon, key stakeholders continue to back JIE as the best way to deliver a secure classified cloud that provides greater interoperability. Still, senior officials concede that nothing less than a culture change will be required to take JIE from the drawing board to the battlefield.

DISA’s Hawkins, for one, thinks the coming generational shift in the U.S. military will help promote the joint effort where previous attempts have often failed. 

“Aside from the budget, [the] toughest nut to crack is to inculcate within the next generation of leaders and operators the capabilities that they need to do in the joint environment,” Hawkins said. “We need to get more people [into] the joint environment and not leave them in their particular service [because] you can’t do it alone.”

Reader Comments

Wed, Dec 18, 2013 AF IT Security Professional Unemployment Line

Security for the JIE will, in part, be predicated on the weakest trusted link which will include the commercial cloud computing environments that will invariably be used. Based on recent (4 years or so) history, Air Force security will continue to be sacrificed at the altar of expediency - which would put them in the running for the weakest trusted link title! Since around 2010 Air Force base circuit enclave computing environments, both SIPR and NIPR, have had waivers to 90% of the security requirements without any prerequisite to produce evidence of real security. The Air Force SIAO “considers” these environments secure enough to declare the IA controls compliant on a wholesale level in a signed memo. Boots on the ground security professionals who identified and asked questions about vulnerabilities were once again told to shut up and color. The memo was the solution for all enclaves when they failed to prove they met the minimum requirements to be legally eligible for an ATO. Additional benefits identified in the memo included “…eliminating duplicative work and the need to validate all IA controls at each NIRPNET and SIPRNET base enclave; enables Operationalizing and Professionalizing the Network (OPTN) of the AFNet; saves funding and man-hours in the certification and accreditation process; facilitates the ability for the AF Designated Accrediting Authority (DAA) to fully accredit base networks with an Authorization To Operate (ATO); improves AF FISMA compliance; and ensures our base networks, as critical mission enablers, maintain connectivity to the Defense Information Systems Network (DISN). “ The glaring omission is any reference to SECURITY!! The memo went so far as to produce spreadsheets for the IAM's with the compliance answers to the Enclave IA controls that could be loaded into their EITDR/eMASS records! Gen Hawkins would be wise to look behind the curtain on the current Air Force CAP and require independent oversight of all participants of the Joint Information Environment.

Fri, Oct 18, 2013 John Weiler, IT-AAC.org United States

General Hawkins is right on target in trying to avoid "doing the same thing and expecting different results". Having completed one of the most comprehensive root cause analysis of Defense IT Program failures, we find the waterfall acquisition process and failure to tap commercial standards of practice key factors in DOD's inability to replicate the successes of commercial industry. Fortune 1000 companies also failed in their early adoption of SOA/Cloud architectures, but did so quickly with minimal costs. They were also allowed to fail, allowing for lesson learned to be carried forward in the next iteration. What we see in DOD is an inability to learn from failure, and continued reliance on the same resources and methods that contributed to these avoidable challenges. DISA must find an organic way of reaching outside the defense industrial base of suppliers and FFRDCs if they are going to get JIE right. There are too many rice bowls and vested interests in protecting the status quo with its "trusted advisers". Throw away your green stamps and bring in your critics.

Fri, Oct 11, 2013 Andy Southern Virginia

The criticism above that this may make it easier for adversaries to gain access to systems through a single unified security construct vs the disjointed security environment the DoD currently has is a little oversimplistic. By reducing the number of vulnerabilities across the Joint enterprise, it makes security analysis and risk mitigation easier for the DoD, which actually will make it harder for an adversary to gain access. Yeah, a potential adversary is going to know where the door is, but it will have a much better lock than the weakest link in the current approach.

Wed, Oct 9, 2013 Northern Virginia

As tempting, tantalizing, and idealistic as JIE presents itself, the risk to security may be even greater under JIE. Instead of threat countries trying to understand our IT structure that we ourselves have difficulty understanding, we will make it easier on ourselves and them under a single unified architecture. Only 'one door' to hack through with JIE.

Wed, Oct 9, 2013 Northern Virginia

The author failed to mention which Service is not participating in JIE. Or, does he need to be reminded that there are four DoD Services, and only three sub-Departments in the Department of Defense.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above